Web lists-archives.com

Re: “Meltdown” and “Spectre”: Every modern processor has unfixable security flaws




I was hoping to be retired before this happened......
All of AWS EC2 is rebooting today by 4pm UTC
AppArmor everywhere: Can't trust the hardware to do it right. Clowns! Buffo!

On Thu, Jan 4, 2018 at 12:19 PM, Michael Fothergill
<michael.fothergill@xxxxxxxxx> wrote:
>
>
> On 4 January 2018 at 17:55, The Wanderer <wanderer@xxxxxxxxxxx> wrote:
>>
>> On 2018-01-04 at 12:30, Michael Fothergill wrote:
>>
>> > On 4 January 2018 at 17:22, Curt <curty@xxxxxxx> wrote:
>> >
>> >>
>> >> https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-
>> >> processor-has-unfixable-security-fladdws/U
>> >>
>> >>
>> >> TL;DR
>> >>
>> >>  Windows, Linux, and macOS have all received security patches that
>> >>  significantly alter how the operating systems handle virtual memory in
>> >>  order to protect against a hitherto undisclosed flaw.
>> >> ...
>> >>  In the immediate term, it looks like most systems will shortly have
>> >>  patches for Meltdown. At least for Linux and Windows, these patches
>> >>  allow end-users to opt out if they would prefer. The most vulnerable
>> >>  users are probably cloud service providers; Meltdown and Spectre can
>> >>  both in principle be used to further attacks against hypervisors,
>> >>  making it easier for malicious users to break out of their virtual
>> >>  machines.
>> >> ...
>> >>  For typical desktop users, the risk is arguably less significant.
>> >> While
>> >>  both Meltdown and Spectre can have value in expanding the scope of an
>> >>  existing flaw, neither one is sufficient on its own to, for example,
>> >>  break out of a Web browser.
>> >>
>> >> Apparent moral of story for CPU: don't speculate (but it's
>> >> significantly
>> >> *slower*).
>> >
>> > Isn't this mainly an Intel problem?  I use AMD chipsets.  I would go for
>> > Ryzen nowadays anyway.
>>
>> Meltdown so far is not known to affect anything other than Intel.
>>
>> Spectre, however, is confirmed to affect AMD CPUs - and Ryzen CPUs are
>> specifically stated to be affected.
>
>
> But if the spectre vulnerability is hard exploit in practice and  even in
> artificial test situations devised e.g. in the world of Linus Torvalds then
> AMD could turn out to be relatively cyber-kosher in the end.
>
> MF
>
>>
>>
>> --
>>    The Wanderer
>>
>> The reasonable man adapts himself to the world; the unreasonable one
>> persists in trying to adapt the world to himself. Therefore all
>> progress depends on the unreasonable man.         -- George Bernard Shaw
>>
>